Update dependency node-fetch to v2.7.0

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
node-fetch	2.6.1 → 2.7.0

---

Release Notes

node-fetch/node-fetch (node-fetch)

v2.7.0

Compare Source

Features

• AbortError (#​1744) (9b9d458)

v2.6.13

Compare Source

Bug Fixes

• Remove the default connection close header (#​1765) (65ae25a), closes #​1735 #​1473 #​1736

v2.6.12

Compare Source

Bug Fixes

• socket variable testing for undefined (#​1726) (8bc3a7c)

v2.6.11

Compare Source

Reverts

• Revert "fix: handle bom in text and json (#​1739)" (#​1741) (afb36f6), closes #​1739 #​1741

v2.6.10

Compare Source

Bug Fixes

• handle bom in text and json (#​1739) (29909d7)

v2.6.9

Compare Source

Bug Fixes

• "global is not defined" (#​1704) (70f592d)

v2.6.8

Compare Source

Bug Fixes

• headers: don't forward secure headers on protocol change (#​1605) (fddad0e), closes #​1599
• premature close with chunked transfer encoding and for async iterators in Node 12 (#​1172) (50536d1), closes #​1064 /github.com/node-fetch/node-fetch/pull/1064#issuecomment-849167400
• prevent hoisting of the undefined global variable in browser.js (#​1534) (8bb6e31)

v2.6.7

Compare Source

Security patch release

Recommended to upgrade, to not leak sensitive cookie and authentication header information to 3th party host while a redirect occurred

What's Changed

• fix: don't forward secure headers to 3th party by @​jimmywarting in #​1453

Full Changelog: node-fetch/node-fetch@v2.6.6...v2.6.7

v2.6.6

Compare Source

What's Changed

• fix(URL): prefer built in URL version when available and fallback to whatwg by @​jimmywarting in #​1352

Full Changelog: node-fetch/node-fetch@v2.6.5...v2.6.6

v2.6.5

Compare Source

v2.6.4

Compare Source

v2.6.3

Compare Source

v2.6.2

Compare Source

fixed main path in package.json

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[github-actions]

Renovate PR Review Results

⚖️ Safety Assessment: ⚠️ Needs Manual Migration

🔍 Release Content Analysis

• Major Feature: Added AbortError support for better error handling when requests are aborted
• Dependency Changes: Introduces whatwg-url v5.0.0 and related dependencies (tr46, webidl-conversions)
• Known Issue: v2.7.0 has a faulty NPM upload where the intended dependency update to whatwg-url v14 was not properly published, leaving the deprecated v5 dependency
• Security Fixes: Multiple security patches between v2.6.1 and v2.7.0 including:
  • Prevention of secure headers forwarding to 3rd party hosts on redirects (v2.6.7)
  • Fixes for premature close issues with chunked transfer encoding (v2.6.8)
  • BOM handling improvements in text and JSON parsing (v2.6.10-v2.6.11)

🎯 Impact Scope Investigation

• Usage Locations: node-fetch is used in 2 places in /home/runner/work/piston/piston/api/src/package.js:
  • Line 59: const download = await fetch(this.download); - for downloading package archives
  • Line 201: const repo_content = await fetch(config.repo_url).then(x => x.text()); - for fetching package repository content
• Current Usage Pattern: Simple HTTP GET requests with .text() and response body streaming - both are basic usage patterns that remain stable
• Additional Dependencies: The update adds 3 new transitive dependencies but they are contained within node-fetch's dependency tree

💡 Recommended Actions

• Monitor for Deprecation Warnings: The faulty NPM upload means whatwg-url v5 dependency may trigger punycode deprecation warnings in newer Node.js versions (21.2.0+)
• Safe to Merge: The API changes are backward compatible and current usage patterns in Piston will continue to work
• Future Planning: Consider monitoring for a potential v2.7.1 release that properly fixes the dependency issue
• Testing Recommendation: Verify that package downloads and repository fetching continue to work as expected after the update

🔗 Reference Links

• node-fetch v2.7.0 Release Notes
• Faulty NPM Upload Issue #1797
• Security Fix v2.6.7

Generated by koki-develop/claude-renovate-review